Why Not Install a Desktop Environment?

A web server does not need a desktop and installing one only consumes resources and possibly introduces stability issues. Also, by using SSH to remotely manage the server, you can simply copy/paste commands from this guide, simplifying the entire process.

Which Distro Do I Want?

Most web servers on the Internet run CentOS or Ubuntu. So if you are developing for shared hosts, you will most likely want to focus on these two distros. Fedora is an alternative to CentOS which may contain features not yet included in CentOS. Debian is to Ubuntu as Fedora is to CentOS. OpenSUSE only has a small share of the web server market, but is increasing in popularity. I only recommend Arch Linux for advanced users. Of the top one million web servers, less than 2% run Windows, so we won’t even bother with looking at a WAMP stack (the Windows variant of a LAMP stack).

Should I Use LVM and What File System Should I Use?

I highly recommend using LVM because it allows you to expand file systems across multiple disks (much like Dynamic Disks in Windows).

As for which file system to use for the individual partitions, that’s a little more complicated. In simplest terms, I recommend Ext3/4 for the boot partition and either Ext4, XFS, or BtrFS for other partitions. Ext4 has been around forever, but many distributions are migrating to BtrFS or XFS as the default. So it’s a toss-up as to whether you want a more modern file system or one that may be slightly more stable. RedHat variants (like CentOS and Fedora) have dropped official support for BtrFS due to its slow development. XFS isn’t quite as efficient as Ext4 and BtrFS at handling small files. Short version: for a partition that has large database files, XFS is your best option. If you want a cutting-edge file system BtrFS is your best choice. Ext4 is good all around but is a bit dated. One minor limitation of XFS is that you can’t shrink the partitions, but given that it is more well-developed than BtrFS, it may still be your best bet.

Don’t bother with ReiserFS. Since Hans Reiser went to prison for murder, development on this awesome file system has stalled. Some distributions may use ZFS by default, but I’m not thrilled with the licensing restrictions of ZFS. There’s also JFS, but it isn’t very popular for Linux and only a few distributions support it by default.

Installing Operating System

Important: these instructions assume you are installing on a system without UEFI support (such as a VirtualBox or Hyper-V Generation 1 VM). If installing on a physical machine with UEFI enabled or a virtual machine with UEFI support, you will need to create an additional EFI System Partition at least 100 MiB in size (some guides suggest as much as 500+ MiB, so you may need to allocate more). You can easily do so via the installer for all distributions listed here (with the exception of Arch Linux). See this article if you want more information.

CentOSFedoraUbuntuDebianopenSUSEArch LinuxArch Linux (UEFI)

Download your desired ISO (DVD image). Get the minimal CentOS ISO from their website or a Torrent (recommended). If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Depending on your version of CentOS and VirtualBox, you may not have mouse support when running the installer, so use the arrow keys, tab key, page up/down keys, etc. if necessary.

Boot to the DVD or start the VM to begin installation. First, configure the network settings. The following screenshots will work for a VirtualBox installation configured as in the previous post. CentOS does not enable network adapters by default, so be sure to enable them. The second adapter in the screenshots is the host-only adapter mentioned in the last post. Setting this to a static IP is highly recommended. Your network settings may differ.

Setup your timezone. You should not enable the NTP client (Network Time) if running as a virtual machine (let VirtualBox set the VM clock):

Change the automatic partitioning! CentOS allocates most of the drive to a partition for the /home directory. This is inefficient for a server, since very little should be kept there. It is recommended that you allocate more space for directories reserved for software installations. You could just allocate everything to the root directory, but if the file system became corrupt on root, you would lose everything. This is how I set up my 200 GiB drive.

Unless you need to change them, ignore the other options on this page and just begin the installation. During installation you should set a root password. A separate user is also recommended unless you plan to setup Active Directory or LDAP support later (not covered in this guide series). When creating this user be sure to check the box "Make this user administrator" to automatically set them up as a sudo user (having the ability to run administrator commands via sudo).

After installation you may need to eject the DVD or unmount the ISO to boot to the hard drive.

Download your desired ISO (DVD image). Get the Fedora Server ISO from their website or a Torrent (recommended). If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Boot to the DVD or start the VM to begin installation. First, configure the network settings. The following screenshots will work for a VirtualBox installation configured as in the previous post. The second adapter in the screenshots is the host-only adapter mentioned in the last post. Setting this to a static IP is highly recommended. Your network settings may differ.

Setup your timezone. You should not enable the NTP client (Network Time) if running as a virtual machine (let VirtualBox set the VM clock):

Change the automatic partitioning! You could just allocate everything to the root directory, but if the file system became corrupt on root, you would lose everything. This is how I set up my 200 GiB drive for this guide.

Unless you need to change them, ignore the other options on this page and just begin the installation. During installation you should set a root password. A separate user is also recommended unless you plan to setup Active Directory or LDAP support later (not covered in this guide series). When creating this user be sure to check the box "Make this user administrator" to automatically set them up as a sudo user (having the ability to run administrator commands via sudo).

After installation you may need to eject the DVD or unmount the ISO to boot to the hard drive.

Download the latest Ubuntu Server LTS image from their website or via BitTorrent (recommended). If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO:

Boot to the DVD or start the VM to begin installation. The install process is very simple. Basically just go with defaults until you reach the section on partitioning. As noted on their download page, the default installer no longer supports LVM, so you will need to download the alternate installer if you want to create LVM partitions during the initial installation (apparently the new installer will still install to existing LVM partitions if created via another method). The following screenshots assume you are using the new (18.04) installer, but check out the instructions for Debian if using the traditional installer. Here is how I configured a 200 GiB drive for Ubuntu Server 18.04:

Be sure to select the option to install SSH server, but otherwise just stick with defaults.

Since this installation will not include a GUI, all you need is the smaller CD image from their website or via BitTorrent. Most users will want the amd64 version. Burn the ISO to CD if you need a physical disc or just mount in your virtual machine. Although you could download the full set of DVD images, I recommend only downloading the CD image or the first DVD image. The reason for this is the package manager will look for the discs every time you install a new package rather than looking online first if it knows you have the full DVD set, which can get annoying because you will be constantly swapping discs/images.

Boot to the disc or start the VM to begin installation. Choose the graphical installation option to make things a little easier. The install process is very simple. Just do what it says until you reach the section on partitioning. Following is how I configured my partitions.

If installing from the CD image rather than the DVD image, be sure to select the option for enabling a network mirror for downloading software packages! After the initial installation, you will be presented with a screen to install additional packages, such as a desktop. Since we want a headless installation, but we do want SSH, change the options as in the following screenshot (your choices may vary, but this is all you need for now):

Download the openSUSE Leap DVD image from their website directly or via BitTorrent. I recommend not using Tumbleweed for servers since it is a rolling release. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO.

Boot to the DVD or start the VM to begin installation. Be sure to choose the "Server" option as the system role.

When you get to the step about partitioning, change the defaults to allocate partitions for where we will be installing our compiled software. The following is how I setup my 200 GiB drive in a virtual machine.

On the "Clock and Time Zone" page, if this is a virtual machine, you may want to click the "Other Settings" button and disable the NTP client (enabled by default).

Next you should configure a new user. I recommend not using the same password for the root user or logging in automatically.

On the final page, you may want to enable the firewall and SSH:

Unlike the other distros I cover, Arch Linux does not include an installer. So this is not for the faint of heart. I will simplify the process as much as possible. For more information, you can check out the installation guide on the Arch Linux wiki. Note that the method I cover here is very different from previous versions of these tutorials, but it works around some current issues with LVM in the latest version of Arch Linux.

Download the Arch Linux ISO. I recommend using the BitTorrent download method. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO.

Boot to the DVD or start the VM. In my case, I was able to skip setting up the network interface since Arch Linux detected the proper default route automatically.

You will need to partition the hard drive from the command line before you do anything else. For the sake of consistency I partitioned this system the same as the others with a 200 GiB drive. The following commands allowed me to do this:

Don’t forget to remove the install disc or unmount the ISO to ensure you boot to the new installation.

This section is only applicable if you are installing on a physical or virtual machine with UEFI support. While doing so for other distros is as simple as adding an EFI System Partition, the more complex nature of installing Arch Linux deserves its own section in this case.

Download the Arch Linux ISO. I recommend using the BitTorrent download method. If installing to a physical machine, burn the ISO to DVD. If installing to a virtual machine, mount the ISO.

Boot to the DVD or start the VM. In my case, I was able to skip setting up the network interface since Arch Linux detected the proper default route automatically.

You will need to partition the hard drive from the command line before you do anything else. I had a 200 GiB drive and wanted to use LVM, 30 GiB for the root partition, 1 GiB for the boot partition, 550 MiB for the EFI System Partition (as recommended on the Arch Linux website; though I think you could get away with far less), 80 GiB for the /usr/local partition, and 4 GiB for the swap partition. The rest I wanted to go to a partition mounted to /opt. The following commands allowed me to do this:

Note: for that last line, if you are installing an older version of Arch Linux, you may need to change the parentheses to quotes.

Important: on some UEFI systems, you may run into an error where GRUB won’t load after the next cold boot. I’ve only seen this issue when running under VirtualBox, but it could occur in other cases. There is a fix (shouldn’t hurt to do this even on a system that doesn’t encounter the issue):

Don’t forget to remove the install disc or unmount the ISO to ensure you boot to the new installation.

Sudo

Sudo allows a standard user to run commands as root. It is highly recommended that you use this rather than logging in directly as root.

CentOS/Fedora/UbuntuDebianopenSUSEArch Linux

Sudo is installed and configured by default, so we can skip that step. But you may want to test it after logging in with:

sudo ls /

Debian (as of this writing) does not install sudo by default, so this is the first thing we need to address. So instead of logging in as the normal user, log in as root using the password you configured during install.

First, you must install sudo:

apt install sudo

You may be prompted to re-insert the installation disc. Do so as needed. The default Debian installation of sudo allows sudo access to all users of the "sudo" group (not "wheel" like other distros use). So, to make your normal username capable of running commands via sudo, do (replace "username" with the name of the user you setup):

adduser username sudo
logout

Now you can log back in as your normal user and test sudo with:

sudo ls /

Log in as the user created during installation. OpenSUSE installs sudo but doesn’t configure it the same way as other distros, so for now whenever you type "sudo" you may be prompted to enter the root password rather than your user password. Let’s fix that first…

You may prefer to use nano over vi to make text editing simpler, so install it and then run visudo with nano:

sudo su
zypper install nano
export EDITOR=nano
visudo

Scroll down to find the following lines:

Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

Comment (add a pound sign and space) to both lines so it reads:

# Defaults targetpw # ask for the password of the target user i.e. root
# ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

Scroll down to find the following line and un-comment it (remove the pound sign and first space):

# %wheel ALL=(ALL) ALL

Now use CTRL+X to save the file and exit. Then do the following (replace "username" with your normal username):

usermod -G wheel username
exit
logout

Now log back in as your normal user and make sure sudo is setup properly by doing the following (it should ask for your password and not root’s):

sudo ls /

After installation, log in as the root user with the password you created earlier. Now to configure sudo:

export EDITOR=nano
visudo

Scroll down to find the following line and un-comment it (remove the pound sign and first space):

# %wheel ALL=(ALL) ALL

Now create a new username for yourself as a member of that group (replace "username" with the name of your new user):

Now you can log in with this new username. Whenever you need to run administrator commands as that user, simply preface them with "sudo". As a simple test to make sure this is working, run the following to show the files in the root directory:

sudo ls /

Configure Network Adapters

CentOSFedoraUbuntuDebianopenSUSEArch Linux

I’ve noticed several times that even when you enable all network adapters during installation, CentOS doesn’t always actually enable them. You can use nmtui to enable any disabled adapters. Just run the following command and use the arrow keys and Enter to enable any disabled adapters (those without asterisks beside them):

sudo nmtui

Before doing anything else, I recommend installing a simple text editor. By default, CentOS uses vi, which is very powerful but possibly intimidating to new users. So do:

sudo yum install nano

CentOS does not include the host name you chose during installation in the hosts file. Although this shouldn’t be needed, it can cause issues with some software (like Apache). So do:

sudo nano /etc/hosts

Edit the file to include the local host name as well as the host+domain. Then use CTRL+X to exit nano and save the file. Following is an example of what the file contents may look like:

You could probably skip adding the second loopback address (127.0.1.1), but this has been the recommended method for years due to a bug with IPv4 in Linux.

The latest version of Ubuntu no longer adds the host name to the hosts file (previous versions did), so you may want to do so for Apache to function properly:

sudo nano /etc/hosts

Edit the file to include the local host name as well as the host+domain. Then use CTRL+X to exit nano and save the file. Following is an example of what the file contents may look like:

Ubuntu now uses NetPlan to manage network interfaces. You may have noticed during the installation process that you had few (if any) options for configuring your interface(s), so you will probably need to make some changes now, especially if using a static IP address (recommended). For CLI installations, this means using the networkd renderer. Here’s what I did to set a static IP address for the host-only adapter on my VirtualBox test machine…

First, I obtained a list of the interfaces with:

ip link

This showed me an interface named enp0s3 and another named enp0s8. The latter was the one I needed to assign a static IP to, so I created a new configuration file with a high priority specifically for this interface by doing:

sudo nano /etc/netplan/99-netcfg.yaml

In this new file I typed the following to force this interface to always use the static IP address I desired:

I didn’t need DNS or a default gateway, so this was enough for my setup (see the above link if you need to configure more). To apply the new settings, I simply did:

sudo netplan --debug apply

You shouldn’t need to alter the hosts file if you set everything correctly during installation since Debian automatically adds an entry for the host name you set. Let’s see what adapters are enabled and their current IP addresses (note if you’re using an older version of Debian before they updated systemd, the interface names will be "ethx" where x is a number; this may sound simpler, but there are good reasons for this change):

ip addr

As you can see, in my case only the primary interface was enabled by default. So I did the following:

sudo nano /etc/network/interfaces

I then added the following to that file (change to match your configuration):

For some reason, unlike Ubuntu, Debian does not re-enable interfaces setup for DHCP when restarting the networking service, so do:

sudo ip link set dev enp0s3 up
sudo dhclient -r
sudo dhclient

One of the nice things about openSUSE is the handy YaST tool. Many users may not be aware that there is a terminal version of this tool for CLI installations. To launch it:

sudo yast

Just use your tab and enter keys (or the Alt shortcuts designated by the highlighted characters). In my case, the second network adapter was not configured and I wanted to give it a static IP accessible via the VirtualBox host-only network:

You should also use this tool to edit the host name and add it to the loopback hosts entries as follows. Note that I did not check the "Assign Hostname to Loopback IP" option in "Network Settings" but added it separately (this is safer, especially if using IPv6):

Now exit YaST (usually with F9).

First, get the name(s) of your network interface(s):

ip link

I wanted to set the first interface with a dynamic IP address and the second with a static one. First, create netctl profiles for the interfaces (note that I didn’t need a gateway or DNS for the secondary interface, but you could add them if need be):

It is recommended that you add the Packman repo, since the official SUSE repos don’t always contain the needed or packages (or contain older versions). I’m using a mirror in Germany, but you can check the list of mirrors and choose another if you wish. Change the SUSE version to match what you are running.

If the Packman mirror you add doesn’t work for some reason, do the following before trying another one:

sudo zypper rr Packman

Install all updates and reboot:

sudo zypper update
sudo reboot

Install all updates and reboot:

sudo pacman -Syu
sudo reboot

SSH

Now setup SSH securely for remote access:

CentOS/Fedora/openSUSEUbuntu/DebianArch Linux

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing:

sudo nano /etc/pam.d/sshd

Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):

auth required pam_access.so

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "sudo" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:sudo:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing:

sudo nano /etc/pam.d/sshd

Un-comment (remove the pound) the following line:

# account required pam_access.so

It is optional, but recommended, that you disable the ability to log in directly as the root user now that you have another administrator account setup. You may wish to skip this if you are less concerned with security and/or are concerned that you may screw up your sudo configuration in the future:

sudo passwd -l root

As an additional security measure, you should restrict access from members of the "wheel" group to the local network. So do:

sudo nano /etc/security/access.conf

Scroll to the bottom of this file and add a line such as the following (this is in keeping with the virtual machine settings as shown previously, but change the subnet to match your network):

-:wheel:ALL EXCEPT LOCAL 192.168.56.0/24

After saving the above file, make sure SSH will comply with those restrictions by doing (first install OpenSSH):

Insert the following line immediately after the first line "#%PAM-1.0" (this placement is important):

auth required pam_access.so

You can now use any SSH client to connect to the server. I highly recommend this as opposed to typing commands directly on the server console, partly because you can copy/paste commands from this guide into the SSH client. On Windows, I like the Bitvise SSH Client (free as of this writing), particularly for its built-in SFTP transfer client. Or you could use PuTTY or another client. Just point them to the IP address of this new server and use the username/password you just configured (if using VirtualBox as in the previous post, point to the IP address of the host-only adapter).

Important: When copying/pasting commands in this guide into an SSH terminal, you may be prompted for your password for sudo. So if copying multiple lines at a time, you may want to run sudo first, which will normally prevent this from happening. Or just copy/paste one line at a time.

Firewall

CentOS/FedoraUbuntuDebianopenSUSEArch Linux

Important note on firewall: there were previously bugs where conflicts between firewalld and Network Manager would cause firewall zone settings to be lost (especially with multiple adapters) on reboot. This means all adapters would be in the default zone after reboot. This was fixed in both Fedora and CentOS in 2017, so it is important that all packages be up to date as mentioned earlier.

If you have multiple network adapters (as I have setup in VirtualBox), you may want to place your local adapter in a separate firewall zone so you can limit which services are accessible to the Internet. First, check which adapters are in which zones:

firewall-cmd --get-active-zones

As you can see, CentOS places all adapters in the "public" zone (Fedora uses the zone "FedoraServer" as the default). Let’s move our local adapter ("enp0s8" in this example) to the "work" zone:

The reason we are rebooting at this point is to ensure the change truly is permanent. This is where the bug shows up if you didn’t install updates. Check that the change really worked by once again running:

firewall-cmd --get-active-zones

Enable HTTP/HTTPS for the "work" zone (or whatever zone you assigned your adapter to) and check that the desired services are enabled:

By default, the firewall is installed but not enabled. Let’s create rules to allow SSH, HTTP, and HTTPS from the local network (default rules will block all other incoming connections) and enable the firewall. Change IP range and ports as required:

As of this writing, the CLI version of YaST does not support modifying the firewall as it did in previous versions of openSUSE, so you will need to set up the firewall in a similar way as mentioned for CentOS. So first, do the following:

ip link
ip address

In my case, under VirtualBox, I was able to determine that eth0 was my NAT interface and eth1 was my host-only interface. Could have found the same information via YaST.

Now let’s check which interfaces are assigned to which zones (by default they are all in the public zone):

sudo firewall-cmd --get-active-zones

Now check which services are enabled for every zone:

sudo firewall-cmd --list-all

If you need a list of all the default zones:

sudo firewall-cmd --get-zones

In my case I wanted eth0 assigned to the public zone and eth1 to the work zone:

"The Arch Way" of keeping things as simple as possible encourages us not to use a frontend for iptables like other distros do. So let’s clear any existing iptables rules (there shouldn’t be any) and set it up from scratch. Note that I’m limiting some rules to a specific interface (for example, we don’t want to open SSH to the public interface). These steps are based on an article from the Arch Linux wiki:

When I did this with the current version of iptables, I noticed it had automatically created a rule I hadn’t added:

-A INPUT -p ipv6 -j ACCEPT

Since these rules only affect IPv4, I assume this refers to IPv6 tunnels in IPv4, in which case this rule would allow all such incoming packets. Since I had no need for this functionality, I deleted the rule:

sudo iptables -D INPUT -p ipv6 -j ACCEPT

Once you have everything set up the way you want, save the rules again if you made any changes:

sudo su - -c "iptables-save > /etc/iptables/iptables.rules"

Now we should setup iptables for IPv6. Start by copying the IPv4 rules:

sudo cp /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules

Several changes need to be made for IPv6 compatibility. In this example, the following commands should fix the rules correctly:

VirtualBox Guest Additions

If this is a virtual machine installed under VirtualBox, it is recommended that you install the VirtualBox Guest Additions. If running under another hypervisor like Hyper-V, chances are your distribution already contains the guest services installed automatically (though I still find it helpful on some distributions to install the Linux Integration Services, especially for dynamic memory allocation). There are a few basics we need to ensure are installed for the VirtualBox Guest Additions:

You may receive an error about the missing X.Org (desktop). This is expected. Just ignore it. If you already have a version of the Guest Additions installed, the installer will warn you. In this case, you should remove the existing version using your package manager before doing the above installation. Here are some common examples (the Guest Additions don’t exist in the official CentOS/Fedora repos):